Cyber Security at Teracore

The first step in our strategy focuses on the most fallible of all the pieces in the security puzzle, the human element.

A large portion of security breaches are due to stolen credentials either exposed in a data breach, obtained through a phishing attack or more sinister methods like keyloggers or buying them on the dark web. On top of that, a ridiculous amounts of data loss and damages are caused by employee negligence. 

Now, employee negligence sounds a bit harsh and finger pointy, basically what this means is that the employee did not follow cyber security protocols, but many companies don’t have cyber security protocols, or haven’t implemented effective cyber security training, so lets add employer negligence here too.

Our approach

1. The Principle of least privilege
   The principle states: A user should only be granted the information and resources that are essential to performing their task. 
   A junior developer should not have admin rights to a database on a production site and a content editor should not be able to delete plugins or apply patches on a WordPress website.
2. We limit the number of people who have admin access to critical systems.
   This includes, the ability to create and destroy servers, edit DNS records, view client data, etc.   
3. Enforce unique strong passwords on for all websites and services.
   All Teracore employees and sub-contractors are required to use a password manager to generate random strong passwords and ensure passwords are not reused across different sites or services.
4. Multi Factor Authentication
   MFA or 2 Factor Authentication is used wherever possible. We prefer authenticator based methods over email and SMS.
5. No Account sharing
   Employees, sub-contractors and clients are required to have their own accounts for any services or websites. 

The second biggest contributor to security breaches can be attributed to vulnerabilities in outdated or badly coded themes and plugins.
So we maintain a weekly update schedule to keep things fresh.
We also monitor various WordPress blogs and databases for known vulnerabilities.  

Our approach

• We apply weekly theme, plugin and core file updates.
• Security updates are applied as they become available.
• We monitor the activity on your websites and schedule updates when traffic is low.
• If a WordPress vulnerability is recorded on the Threatpress database (https://db.threatpress.com/) an automatic virtual patch is deployed to prevent the vulnerability from being exploited. The vulnerable software will be removed and replaced with a suitable, secure alternative.
• AI assisted visual monitoring checks the site after an update and notifies our team if there is a > 3% layout shift the site is then visually checked and tested by a human.

There are over 260 million self hosted WordPress websites, making WordPress sites a juicy target for hackers. 
We’ve already covered negligence and outdated software so here we will detail additional security measures that we implement to defend our sites against the OWASP top 10 security vulnerabilities. 

Our approach

• Install SSL Certificates and force HTTPS
• Weekly Ubuntu Linux and NGINX updates
• Secure PHP versions
• Secure usernames and passwords
• Disable directory browsing / Apply System file protection
• Disable PHP execution in the uploads and themes directories
• Secure wp-config.php
• Add Security headers
• Enable SFTP and SSH access only
• Enforce Nginx rate limiting
• Disable default WordPress login page

Firewalls
At the server level we use the 7g firewall, it’s an effective way to block a wide range of attacks, including: 

• WordPress specific exploits 
• HTTP Response Splitting
• (XSS) Cross-Site Scripting
• Cache Poisoning
• Dual-Header Exploits
• SQL/PHP/Code Injection
• File Injection/Inclusion

Whenever I talk about backups I have to quote Patrick Gallagher the CEO of GridPane (Our favourite hosting panel) 
“Good backups are like insurance… if insurance covered everything, cost practically nothing, and always paid out.“

While a backups can’t protect you against security breaches or data breaches, they do protect you against data loss.

We employ comprehensive backup schedules on all of our hosting plans. The retention period is 14 days. Business and Enterprise clients may provide their own credentials for OneDrive, Dropbox, pCloud, Amazon S3 or DigitalOcean Spaces to have a copy of the backup sent to their cloud storage provider of choice.

Pro Package

• Monthly complete server backups stored with IaaS Provider
• Daily local WordPress backups stored on the server
• Weekly WordPress backups sent to Wasabi remote storage.

Business Package

• Monthly complete server backups stored with IaaS Provider
• Hourly local WordPress  backups stored on the server
• Daily WordPress backups sent to Wasabi remote storage

Enterprise Package

• Weekly complete server backups stored with IaaS Provider
• Hourly local WordPress backups stored on the server
• Daily WordPress backups sent to Wasabi remote storage
• Monthly WordPress backups stored on a physical drive. 

Knowing is half that battle, and that’s where logging comes in. Activity logging, along with strong access and identity management, allows us to determine exactly which user or service worker is responsible for every action that takes place in our hosting environment and on our clients sites.